6 December 2023
Your overall rating was amber.
- 5: Not yet implemented or planned
- 0: Partially implemented or planned
- 9: Successfully implemented
- 17: Not applicable
RED: not implemented or planned
Your business has reviewed how you ask for and record consent.
- Check that consent is the most appropriate lawful bases for processing.
- Make the request for consent prominent and separate from your terms and conditions.
- Ask individuals to positively opt in.
- Use unticked opt-in boxes or similar active opt-in methods.
- Use clear, plain language that is easy to understand.
- Specify why you want the data and what you’re going to do with it.
- Give granular options to allow individuals to consent separately to different types of processing wherever appropriate.
- Name your business and any specific third party organisations who will rely on this consent.
- Tell individuals they can withdraw consent at any time and how to do this.
- Ensure that individuals can refuse to consent without detriment.
- Don’t make consent a precondition of service.
Guide to the UK GDPR - Consent, ICO website
Your business has systems to record and manage ongoing consent.
- Keep a record of when and how you got consent from the individual.
- Keep a record of exactly what they are told at the time.
- Regularly review consent to check that the relationship, processing and the purposes have not changed.
- Have processes in place to refresh consent at appropriate intervals, including any parental consents.
- Consider using privacy dashboards or other preference management tools as a matter of good practice.
- Make it easy for individuals to withdraw their consent at any time and publicise how to do so.
- Act on withdrawals of consent as soon as you can.
- Don’t penalise individuals who wish to withdraw consent.
If current consent don’t meet the UK GDPR’s high standards or is poorly documented, you will need to;
- seek fresh UK GDPR-compliant consent; or
- identify a different lawful bases for your processing (and ensure continued processing is fair); or
- stop the processing.
Guide to the UK GDPR - Consent, ICO website
Your business has paid the data protection fee to the Information Commissioner's Office.
- continue to register with the ICO, if your annual registration is due before May 2018; and then
- following May 2018, or when your current annual registration expires, refer to our guidance to determine what you need to pay.
Read our guide to find out what you need to pay after May 2018.
Guide to UK GDPR - Guide to Data Protection Fee, ICO website
Where required, your business has appointed a DPO. In other cases, you have nominated a data protection lead.
- designate responsibility for data protection compliance to a suitable individual;
- support the appointed individual through provision of appropriate training;
- ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
- register the details of your DPO with the ICO; and
- document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.
Guide to the UK GDPR - Data protection officers, ICO website
Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.
- clearly set out your business’s approach to data protection and assign management responsibilities;
- ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
- assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
- deliver training which encourages personal responsibility and good security behaviours; and
- run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.
Think Privacy training, ICO website
GREEN: successfully implemented
Your business has conducted an information audit to map data flows.
Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.
Your business has identified your lawful bases for processing and documented them.
Your business has an appropriate data protection policy.
Your business monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.
Your business provides data protection awareness training for all staff.
Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.
Your business has an information security policy supported by appropriate security measures.
Your business has effective processes to identify, report, manage and resolve any personal data breaches.
If your business relies on consent to offer online services directly to children, you have systems in place to manage it.
Your business has made privacy information readily available to individuals.
Your business communicates privacy information in a way that a child will understand.
If you may be required to process data to protect the vital interests of an individual, your business has clearly documented the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.
If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.
Your business has established a process to recognise and respond to individuals' requests to access their personal data.
Your business has processes in place to ensure that the personal data you hold remains accurate and up to date.
Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.
Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.
Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.
Your business has procedures to handle an individual’s objection to the processing of their personal data.
Your business has identified whether any of your processing operations constitute automated decision making under Article 22 of the UK GDPR and has procedures in place to deal with the requirements.
Your business has a written contract with any processors you use.
Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.
Your business understands when you must conduct a DPIA and has processes in place to action this.
Your business has a DPIA framework which links to your existing risk management and project management processes.
Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the United Kingdom.
You can download this report as a Word document using the button on the top right corner of the page. If you have an problem downloading the report into a word document please let us know.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.